WordPress 4.9.1 Debuts with Updates to Harden Security

Two weeks after reaching general availability, WordPress 4.9 gets its first update fixing bugs and boosting security.

The open-source WordPress blogging and content management system (CMS) 4.9.1 update was released on Nov. 29, providing users with security and bug fix improvements.

WordPress is one of the most widely deployed CMS technologies on the internet today, powering 25 percent or more of all websites, according to some estimates. The security enhancements included in the 4.9.1 update have not been identified with a CVE (Common Vulnerabilities and Exposures) identifier and are considered to be improvements for security resiliency.

“WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack,” WordPress developer John Blackbourn wrote in a blog post.

Among the security hardening improvements that have landed in the WordPress 4.9.1 update is the use of a properly generated hash for the newbloguser key function which is used to create new users. The code commit for the change indicates that previously a determinate substring was being used for the newbloguser key, which is not as secure.

Additional attributes added to strengthen WordPress 4.9.1 include the proper use of code escaping to the language attributes used on html elements. WordPress developers have also taken steps in the 4.9.1 update to ensure RSS feed attribute enclosures are correctly escaped as well. The process of “escaping” user data is a well-known code security best practice.

“To escape is to take the data you may already have and help secure it prior to rendering it for the end user,” WordPress explains in is code documentation.

WordPress is also improving security by removing the ability to upload JavaScript files for users who do not have the capability to run what is known as “unfiltered_html”. According to WordPress, unfiltered_html allows users to post HTML or even JavaScript code in WordPress pages, posts, comments and widgets.

“Enabling this option for untrusted users may result in their posting malicious or poorly formatted code,” WordPress warns in its code documentation for roles and capabilities.

WordPress 4.9

The WordPress 4.9.1 release is the first incremental update to WordPress 4.9, which became generally available on Nov. 16. The WordPress 4.9 release is codenamed Tipton, after Jazz musician and band leader Billy Tipton.

WordPress 4.9 added a number of new features including enhancements to the site customiser that enables administrators to schedule when site design changes should go live. The WordPress 4.9 update was the second major release of WordPress in 2017, following the 4.8 update that was released on June 8.